Terraforming Azure Management Groups

If you’ve been following my blog, or are connected with me on LinkedIn and Twitter, you’ll know that I’m engaged in a project where I am a part of a team that’s designing and deploying a global enterprise-level environment using Infrastructure-as-Code (IaC) via Terraform.

Part of this enterprise-level environment will include the use of Azure Management Groups.

Management Groups

As a quick primer for anyone that has not used Management Groups before, it allows you to group your Azure Subscriptions together. Why would you want to do that? Well, you can use it to apply governance controls (like Role-Based Access Control, Policy, etc.) to multiple Subscriptions at the same time.

The issue is, ‘terraform destroy’ is not able to move/re-assign the Subscription to another Management Group (i.e. like the Root Management Group). As a result, it can’t reverse what it’s created.

Conclusion

While Terraform is a nice, human-readable coding language, there are some caveats and limitations. Working with Management Groups is an example. Now, that’s not to say this issue will not be resolved in a future code update, but it’s where we are now.

Just keep that in mind, and always perform unit tests of your code (in as small amounts of code as possible), to ensure you discovery any challenges with the approach you’re trying to utilize.